Arizona’s data breach statute is divided into two sections of the relevant code. This is part 1/2.
DISCLAIMER: THIS IS NOT AN OFFICIAL VERSION OF THE INDICATED STATUTE. THIS TEXT AND CONTENT IS PROVIDED FOR REFERENCE AND / OR EDITORIAL OR EDUCATIONAL PURPOSES ONLY AND SHOULD NOT BE RELIED UPON BY ANY PERSON FOR ANY REASON.
In this article, unless the context otherwise requires:
1. “Breach” or “security system breach”:
(a) Means an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals.
(b) Does not include a good faith acquisition of personal information by a person’s employee or agent for the purposes of the person if the personal information is not used for a purpose unrelated to the person and is not subject to further unauthorized disclosure.
2. “Court” means the supreme court, the court of appeals, the superior court, a court that is inferior to the superior court and a justice court.
3. “Encrypt” means to use a process to transform data into a form that renders the data unreadable or unusable without using a confidential process or key.
4. “Individual” means a resident of this state who has a principal mailing address in this state as reflected in the records of the person conducting business in this state at the time of the breach.
5. “Nationwide consumer reporting agency”:
(a) Means a consumer reporting agency that compiles and maintains files on consumers on a nationwide basis as defined in 15 United States Code section 1681a(p).
(b) Does not include a nationwide specialty consumer reporting agency as defined in 15 United States Code section 1681a(x).
(a) Means a natural person, corporation, business trust, estate, trust, partnership, association, joint venture, government or governmental subdivision or agency or any other legal or commercial entity.
(b) Does not include the department of public safety, a county sheriff’s department, a municipal police department, a prosecution agency or a court.
7. “Personal information”:
(a) Means any of the following:
(i) An individual’s first name or first initial and last name in combination with one or more specified data elements.
(ii) An individual’s user name or e-mail address, in combination with a password or security question and answer, that allows access to an online account.
(b) Does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
8. “Prosecution agency” means the attorney general, a county attorney or a municipal prosecutor.
9. “Redact” means to alter or truncate a number so that not more than the last four digits are accessible and at least two digits have been removed.
10. “Security incident” means an event that creates reasonable suspicion that a person’s information systems or computerized data may have been compromised or that measures put in place to protect the person’s information systems or computerized data may have failed.
11. “Specified data element” means any of the following:
(a) An individual’s social security number.
(b) The number on an individual’s driver license issued pursuant to section 28-3166 or nonoperating identification license issued pursuant to section 28-3165.
(c) A private key that is unique to an individual and that is used to authenticate or sign an electronic record.
(d) An individual’s financial account number or credit or debit card number in combination with any required security code, access code or password that would allow access to the individual’s financial account.
(e) An individual’s health insurance identification number.
(f) Information about an individual’s medical or mental health treatment or diagnosis by a health care professional.
(g) An individual’s passport number.
(h) An individual’s taxpayer identification number or an identity protection personal identification number issued by the United States internal revenue service.
(i) Unique biometric data generated from a measurement or analysis of human body characteristics to authenticate an individual when the individual accesses an online account.